High-level minimum elements for a G7 SBOM for AI framework

[riteshnoronha]

🧩 Minimum Elements: Data Field Requirements for AI SBOM

Based on [BSI: SBOM for AI – Food for Thoughts]

Lets implement check to verify if an AISBOM has the minimum required elements.

sbomqs score -c bsi-ai-v1 llama_sbom.json 

Sample SBOM: llama_sbom.json

Below are the minimum elements with their CDX mappings, this is my first take.

---

Models Used by the AI System

• Type
  → component.type = "machine-learning-model"
• Name (Identify the Model)
  → component.name
• Model Creation Details & Usage
  → Annotated via component.modelCard or component.properties

Learnings

• Training Techniques
  → component.modelCard.modelParameters
• Training Datasets
  → Represented as component of type "data"
• Datasheets
  → component.externalReferences (type: "documentation")

Datasets

• Identification, Creation & Provenance
  → component with type = "data"

Safety and Security

• Guardrails
  → Link to external reference documentation
  → component.externalReferences (type: "other")
• Considerations
  → component.modelCard.considerations

System-Level Characteristics

(Placeholder — to be defined per system-level SBOM structure or runtime context)

Key Performance Indicators

• Metrics and Evaluation
  → component.modelCard.quantitativeAnalysis

Licensing

• Model License
  → component.licenses

Infrastructure

• System Infrastructure
  → Captured via standard SBOM structure (components, services, etc.)

SBOM Verifiability

• Component-level verification
  → Use hashes (e.g., SHA-256)
• SBOM-wide authenticity
  → Signed using tools like Cosign
  → Signature should be externally verifiable

Manufacturer

• Entity responsible for the model/system
  → metadata.manufacturer